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Amendments to the Claims 

This listing of claims will replace all prior versions, and listings, of claims in the 
application: 

Listing of Claims 

Claim 1 (currently amended): A method of providing access to a resource for one or 
more users, said method comprising: 

receiving a n authorization request from a first entity to issue authorization data for a user 
the one or more users based on roles access rights associated with the users, said access rights 
including an expression identifying the resource by a resource name and by at least one property 
associated with the resource to conditionally define access to the resource , wherein said 
authorization data is required by a second entity for allowing the first entity to access a resource 
controlled by the second entity ; and 

responsive to the received authorization request, issuing the authorization data to the first 
entity, wherein the first entity provides the issued authorization data to the second entity, said 
authorization data including an expression identifying the resource by a resource name and by at 
least one property associated with the resource to conditionally define access to the resource, 
said authorization data further including validation information; 

receiving a validation request from the second entity to validate the issued authorization 
data that was provided to the second entity by the first entity; and 

responsive to the received validation request, validating the authorization data based on 
the validation information included therein . 

Claim 2 (canceled). 
Claim 3 (canceled). 

Claim 4 (currently amended): The method of claim 1, wherein receiving the requests and 
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issuing the authorization data occur over a secure sockets layer. 

Claim 5 (currently amended): The method of claim 1, wherein receiving the requests and 
issuing the authorization data occur over a network such as the Internet. 

Claim 6 (currently amended): The method of claim I, further comprising creating 
authorization data the expression identifying the resource in response to the received 
authorization request. 

Claim 7 (currently amended): The method of claim 6, further comprising encrypting the 
created authorization data expression . 



Claim 8 (canceled). 
Claim 9 (canceled). 

Claim 10 (original): The method of claim 1, wherein one or more computer-readable 
media have computer-executable instructions for performing the method of claim 1 . 

Claim 1 1 (currently amended): A method for validating authorization data to provide 
access to a resource for one or more users, said method comprising: 

receiving an authorization request from a client to issue authorization data for the one or 
more users based on roles associated with the users, wherein said authorization data is required 
by an affiliate server for allowing the client to access a resource controlled by said affiliate 
server; 

responsive to the received authorization request, generating an authorization token having 
a header field, a source field, and a claim field, said header field representing validation 
information, said source field representing the identity of the user, said claim field specifying the 
resource conditionally, said claim field including an expression identifying the resource by a 
resource name and by at least one property associated with the resource to conditionally define 
access to the resource; 
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sending the authorization token to the client, wherein the client provides the authorization 
token to the affiliate server; 

receiving authorization data associated with one of the users, said authorization data 
including an expression identifying a resource by a resource name and by a property associated 
with the resource a validation request from the affiliate server to validate the authorization token, 
wherein said validation request includes the authorization token ; 

retrieving validation information from the header field of the received authorization data 

token ; 

evaluating the retrieved validation information to determine a validation status of the 
received authorization data token ; and 

sending a response to the affiliate server indicating the determined validation status 
responsive to said evaluating the retrieved validation information. 

Claim 12 (original): The method of claim 1 1 , further comprising evaluating the 
expression to identify the resource. 

Claim 13 (currently amended): The method of claim 12, wherein evaluating the 
expression comprises extracting a target scope from the received authorization data token , said 
extracted target scope identifying the resource. 

Claim 14 (currently amended): The method of claim 11, wherein receiving the 
authorization data validation request comprises receiving a data packet according to the Simple 
Object Access Protocol (SOAP), and further comprising extracting the authorization data from 
the received data packet. 

Claim 15 (currently amended): The method of claim 11, wherein receiving the validation 
request including the authorization data token occurs over a secure sockets layer. 

Claim 16 (currently amended): The method of claim 11, wherein receiving the validation 
request including the authorization data token occurs over a network such as the Internet. 
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Claim 17 (currently amended): The method of claim 11, further comprising decrypting 
the received authorization data token . 

Claim 18 (canceled). 

Claim 19 (currently amended): The method of claim 11, wherein retrieving the validation 
information comprises retrieving a signature from the header of the received authorization data 
token . 

Claim 20 (currently amended): The method of claim 19, wherein evaluating the retrieved 
validation information comprises determining that the retrieved signature is invalid, and wherein 
sending the response comprises sending a response indicating the invalidity of the received 
authorization data token . 

Claim 21 (currently amended): The method of claim 1 1 , wherein retrieving the validation 
information comprises retrieving an expiration date from the header of the received authorization 
token data, and wherein evaluating the retrieved validation information comprises comparing the 
retrieved expiration date to a current time stamp to determine if the received authorization token 
data has expired. 

Claim 22 (currently amended): The method of claim 2 1 , wherein the received 
authorization token data has been determined to be expired, and further comprising sending a 
response indicating the invalidity of the received authorization token data. 

Claim 23 (original): The method of claim 11, wherein one or more computer-readable 
media have computer-executable instructions for performing the method recited in claim 1 1 . 

Claim 24 (currently amended): One or more computer-readable media having computer- 
executable components to control access to a resource by one or more users, said components 
comprising: 
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an interface component adapted to receive an authorization request from a first entity to 
issue authorization data for the one or more users based on roles associated with the users, 
wherein said authorization data is required by a second entity for allowing the client to access a 
resource controlled by said second entity; 

an interface component adapted to receive authorization data an authorization component 
adapted to issue the requested authorization data for the users based on the roles associated with 
the users , said authorization data including an expression identifying a resource by a resource 
name and by a property associated with the resource and said authorization data including the 
validation information, wherein said interface component is further adapted to receive a 
validation request from the second entity, said validation request including the authorization 
data; 

a parser component adapted to retrieve validation information from the received 
authorization data; and 

a validation component adapted to evaluate the retrieved validation information, wherein 
the interface component is further adapted to send a response to the second entity indicating the 
validation status of the received authorization data responsive to said evaluating the retrieved 
validation information. 

Claim 25 (canceled). 

Claim 26 (canceled). 

Claim 27 (original): The computer-readable media of claim 24, further comprising a 
scope component to evaluate the expression to identify the resource. 



Claim 28 (currently amended): An authorization system comprising: 
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a memory area for storing authorization data for use in accessing providing a first entit 




data including an expression identifying the resource by a resource name and by at least one 
property associated with the resource; and 

a processor configured to execute computer-executable instructions for issuing, 
responsive to a request from the first entity, the authorization data for a user based on a role 
associated with the user and for validating , in response to a request from the second entity, the 
authorization data to provide access to the resource. 

Claim 29 (canceled). 

Claim 30 (original): The system of claim 28, wherein the processor is further configured 
to execute computer-executable instructions for evaluating the expression to identify the 
resource. 

Claim 31 (original): The system of claim 28, wherein the authorization data comprises a 

token. 

Claim 32 (canceled). 
Claim 33 (canceled). 
Claim 34 (canceled). 
Claim 35 (canceled). 

Claim 36 (new): The method of claim 1, wherein the first entity is an application 
program. 




access to a resource accessing 



that is controlled by a second entity , said authorization 



Claim 37 (new): The method of claim 1, wherein the first entity is a computing device. 
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Claim 38 (new): The method of claim 1, further comprising generating a signature based 
on the expression identifying the resource, and wherein the validation information includes said 
generated signature. 

Claim 39 (new): The method of claim 1 wherein the validation information includes an 
expiration date. 

Claim 40 (new): The method of claim 1, wherein the validation information further 
includes a site identifier identifying the first entity. 

Claim 41 (new): The method of claim 1 wherein said validation request includes the 
issued authorization data and wherein said validating includes: 

retrieving the validation information from the received authorization data; 
evaluating the retrieved validation information; and 

sending a response to the second entity indicating the validation status of the received 
authorization data responsive to said evaluating the retrieved validation information. 



